Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 443
  • Last Modified:

HTML Based Windows Authentication

I am trying something new with authentication and our intranet site. Basically I am dissabling our current method of authentication and moving to a Widows Based authentication (Built into IIS). The problem is our users are not always at their computers at work. Basically, what I am trying to do is replace the ugly windows username and password popup with an HTML form that does the same task. Any suggestions on how to go about this?
0
JoshDale
Asked:
JoshDale
  • 9
  • 5
  • 2
  • +1
1 Solution
 
pinaldaveCommented:
Kerberos is the answer but I can clearly see that it is very complex and hard to implement.

There is some info on MS site : http://support.microsoft.com/kb/308160/EN-US/
http://support.microsoft.com/default.aspx?scid=kb;en-us;324276

Regards,
---Pinal
0
 
JoshDaleAuthor Commented:
Well, I know how it works a little better. It doesn't really talk about how information is transfered via client-->server though.
0
 
INSDivision6Commented:
You cannot emulate Windows authentication (NTLM) in HTML.  However, for intranet you don't need to do so at all,  as it was pointed out already.  This is because clients are authenticated already.  So, you need just handle permissions on the server.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
JoshDaleAuthor Commented:
Yea, this is only for users that are accessing the intranet remotely. And I won't actually be using HTML, I will actually be using flash, I just thought it would be easier describing the situation using HTML.
0
 
INSDivision6Commented:
If you wanna implement real built-in IIS security, it is not possible, unless you make them somehow proper login in flash, so the client's browser will run under an appropriate account.  Don't think it is possible on computers, which are not members of a domain whithout IE pop-up box.  There are Windows HTTP functions, of course, which allow "invisible" login, but we are talking just about using a browser?
0
 
JoshDaleAuthor Commented:
Yes, I was just wondering if you can replace the ugly ass popup windows gives you ;o) with an HTML or Flash based login screen. This was pretty much just for aesthetic reasons, I can probably live with it... I guess... If I have to ;o).

Thanks for the help
0
 
sigmaconCommented:
Josh, I have come accross a some stuff to determine the currently authenticated user from within CF, but I would have to dig for a while to find it. To be honest, I do not believe it is worth the effort JUST to make the login window look different - and they would get it anyway! If you require authentication on your pages (whether basic or integrated), then windows will get to it first and the client will display the UGLY login window.

Of course it is theoretically possible to get the user authentication information from the user thru a non-protected page, and then authenticate them against windows and forward them to the protected pages, but that would take me at least a day to find out in detail how to do that, and it would be an ugly hack deep down the windows internals, all proxied thru CF's Java layer - mind you.

One final note: In basic user http authentication, the password is sent in clear text. If you use NTLM, then CF will not access have access to the authentication (see your previous post too).

Sorry man. The best and safest way to login people is to use SSL for the transport, and whatever your backend authentication databases is, whether SQL, LDAP, or - with the proper hooks, Active Directory or the machine-local user database.
0
 
JoshDaleAuthor Commented:
Actually, I have been putting alot of thought into this, couldn't I just use CGI variables to check the current user (if they are logged on locally through our domain). I could then run a check to see if the user is logged in and if they aren't I could then throw them the login page.
What do you think of this?
0
 
JoshDaleAuthor Commented:
I am looking at the CGI variable list and came up with these:
CGI.Auth_Password (I would assume this is to see what password the user used when they used Basic Windows Auth correct?)
CGI.Auth_User (I would also assume this is based on Basic Windows Auth)

CGI.Remote_Addr (I could get this information and if the users ip isn't within a certain range 192.168.0.0 - 192.168.255.255 I can throw the login page)
CGI.Logon_User (Can I use this without Basic Authentication to see the username of the person accessing the site?)

Sorry, I am relatively new to CF still. The descriptions for some of these vars are sort of vague.
0
 
sigmaconCommented:
You can determine the logged-on user thru CGI variables, IF they logged on already, that means, AFTER they saw the login-in screen - if if they are at your office. And you page will not be executed UNLESS they logged on.
0
 
sigmaconCommented:
its supposed to say: AFTER they saw the login-in screen - OR if they are at your office

You could do anything you want with any of those values. But what I said in my last comment still applies.
0
 
JoshDaleAuthor Commented:
What I am thinking is I can check a number of things in this order.

1. Cookie         If they have been logged in before, I can use a cookie to store their information.
2. Username    Check to see if their username matches that of what is on the database.
3. IP Address   Check to see if their ip address matches that of our company scope.

if NOT

Send the user to the login page regardless.
0
 
sigmaconCommented:
Josh, I think we are not talking about the same thing. You said you wanted to get rid of the "ugly" login/authentication popup that external users get when they connect to your website? If that's so, then YOU WILL NOT BE ABLE TO DO ANYTHING IN COLDFUSION AT THIS POINT, BECAUSE CF HAS NOT EVEN BEEN CALLED YET. If that's not the problem you have, please describe what you are trying to do more specifically.
0
 
JoshDaleAuthor Commented:
That was, but I was revaluating the solution. Instead of using Windows Authentication, why don't I just get the users information and use that to authenticate the user; for example Username and IP Address. I can check to see if the Username matches one in the system, if so, I can then check to see if the users IP Address is within the acceptable range. If any of those conditions fail, I just pass a login page to them. This way, the user doesn't have to login if they are in our local domain but would have to under all circumstances.
0
 
sigmaconCommented:
You would be 1000% safer with your first approach, because it's not home-grown and also protects your entire website. To compromise security just to get rid of some popup window does not seem balanced. Authenticating based on IP address is always a bad idea, because they could be spoofed. But if the convenience is more important, then your approach is definitely viable. I hope I could be of some help.
0
 
JoshDaleAuthor Commented:
IP Address and Username
0
 
JoshDaleAuthor Commented:
Wow, I just had the biggest brail lapse of all time. I just remembered God invented cookies for a reason right???

Thanks for the help sigmacon.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now